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Abstract —In (3] the authors proposed a new aggregate signature scheme referred to as multiple-TA (trusted authority) one-time 
identity-based aggregate signature (MTA-OTiBAS). Further, they gave a concrete MTA-OTiBAS scheme. We recaii here the definition 
of MTA-OTiBAS and the concrete proposed scheme. Then we prove that our MTA-OTiBAS concrete scheme is existentialiy 
unforgeabie against adaptiveiy chosen-message attacks in the random oracie modei under the co-CDH probiem assumption. 
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1 Introduction 

In O we proposed a new aggregate signature scheme 
referred to as multiple-TA (trusted authority) one-time 
identity-based aggregate signature (MTA-OTIBAS). Further, 
we gave a concrete MTA-OTIBAS scheme. We first recall the 
notion of MTA-OTIBAS; we then recall its formal definition 
and the concrete scheme proposed in |3. Then, we give the 
detailed security proof of MTA-OTIBAS (not given in |3|). 

An MTA-OTIBAS scheme has the following features. 
Firstly, each user's public key is his identity, so no certificate 
is needed on the public key, which avoids the certificate 
management overhead. Secondly, a signer's private key 
(corresponding to an identity and a lower-level TA) is re¬ 
stricted to be used only once; after that, the signer's private 
key should be updated. Thirdly, the MTA-OTIBAS scheme 
also allows signature aggregation and fast verification, i.e., 
n signatures can be aggregated into a single short signature 
(even signatures generated by signers enrolled by different 
lower-level TAs), which greatly saves storage space, and can 
be verified simultaneously. 

We recall the formal definition of MTA-OTIBAS in Sec¬ 
tion |2] In Section we recall the concrete MTA-OTIBAS 
scheme. Then in Section |4] we prove that our MTA-OTIBAS 
concrete scheme is existentially unforgeabie against adap¬ 
tively chosen-message attacks in the random oracle model 
under the co-CDH problem assumption. 
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2 Definition of MTA-OTIBAS 

An MTA-OTIBAS scheme consists of six algorithms, i.e., 
Root.Setup, LowLevel.Setup, Extract, Sign, Aggregate, and 
Verify. Root.Setup is run by the root TA to generate 
the global system parameters and system master key. 
LowLevel.Setup is an interactive protocol run between a 
lower-level TA and the root TA. It generates the secret key, 
public key and certificate of the lower-level TA. Extract 
takes as input a lower-level TA's secret key and a signer's 
identity, and outputs a private key for the signer. Sign takes 
as input a signer's identity, his private key, the certificate of 
the signer's corresponding lower-level TA and any message, 
and outputs a signature on the message. The signature is 
only valid under the signer's identity and the certificate of 
his corresponding lower-level TA. A restriction here is that 
a private key corresponding to a specific identity issued 
by a lower-level TA can be used only once. However, the 
same identity can be enrolled by different lower-level TAs. 
This implies that the corruption of a lower-level TA does 
not influence the signers enrolled by other lower-level TAs. 
Aggregate is used to aggregate n message-signature pairs 
generated by the Sign procedure into a single signature, i.e., 
an aggregate signature. Verify is used to check the validity 
of an aggregate signature. It takes as input n messages, the 
corresponding aggregate signature, n identities enrolled by 
I lower-level TAs, and outputs 1 or 0 to represent whether 
the aggregate signature is valid or not. 

3 A CONCRETE MTA-OTIBAS SCHEME 

Our MTA-OTIBAS scheme is realized using bilinear maps 
which are widely employed in identity-based cryptosys¬ 
tems. A map e : Gi X G 2 — Gt is called a bilinear map 
if e(gi, 52 ) ^ 1 ande{gf,g^) = e{gi,g2)°‘^ for all a,/3 € Z*, 
where Gi, G 2 are two cyclic groups of prime order q, Gt 
is a multiplicative cyclic group of the same order, gi is a 
generator of Gi, and 32 is a generator of G 2 . By exploiting 
bilinear maps, we implement our MTA-OTIBAS scheme. 

Root.Setup: The root TA runs this algorithm to generate 
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the system parameters as follows: 


4 Security proof 


1) Choose q, Gi, G 2 ,GT, 5 i,ff 2 ) e, ip, where ^ is a com¬ 
putable isomorphism from G 2 to Gi, with ip{g 2 ) = 

gi O- 

2) Pick K S Z* as its master secret key, and compute 
y = g 2 zs its master public key. 

3) Select cryptographic hash functions i^o(•) : {0,1}* 
^Gi andi/i(-) : {0,1}* 

4) Publish the system global parameter t]/ = 

(e, q, Gi, G 2 , Griffi, 32 , Hi{-),ip). 

LowerLevel.Setup: In an MTA-OTIBAS scheme, before a 
lower-level TA can recruit members, it must be enrolled by 
the root TA. The root TA may add the public information of 
a lower-level TA (e.g., identify and public key) to the system 
global parameters. Let the identity of a lower-level TA % be 
/D 7 -.. % picks Ki € Z* as its secret key and computes yi = 
32 ‘ as its public key. {ID-j-.,yi) are submitted to the root 
TA. On input {IDji,yi), the root TA generates a certificate 
certf. which is signed using its master secret key. Finally, 
cert 7 -. is sent to %■ 

Extract: Suppose a signer with identity IDj wants to join 
the system maintained by % whose secret key is On 
input the signer's identity IDj, % generates the private key 
for the signer as follows: 

1) Compufe idjfi = Ho{IDj,0), idj^i = Ho{IDj, 1); 

2) Compufe = idj\, and sef Sjj = 

as the private key of the signer. 

Sign: To sign a message m^, a signer with identity 

IDj enrolled by Ti and private key Sjj = 
computes hk = IIi{mk,IDj,certji),ak = The 

signer outputs ak as the signature on rrik- 

Aggregate: This publicly computable algorithm 

aggregates n signatures into a single signature. Let an entity 
collect n message-signature pairs {(toi, cti), • • • , (m„, cr„)} 
signed by n users with corresponding identities 
{IDi,-■ ■ ,IDn} enrolled by I lower-level TAs 
{Ti,-- - ,71}. For simplicity, we assume {IDi,IDt,^}, 

are enrolled 

by TI, - - - , 71 respectively. The message-signature pairs 
are divided into I sets corresponding to the I lower-level 
TAs. This algorithm outputs as the resulting aggregate 
signature, where FI = Ilfci ^i- 

Verify: To verify an aggregafe signafure fl on mes¬ 
sages {toi,..., m„} under Ii = {IDi,IDt^}, I 2 = 
{IDt^+i,...,IDt 2 },...,Ii = {IDti_^+i, ...,IDn} enrolled by 
TI, - - - ,71 respectively, the verifier performs fhe following 
steps: 

1) For 1 < j < n, compute hj = Hi[mj,IDj,certji) 
and idjfi = IIo{IDj,0), idj^i = Ho{IDj,l). 

2) Define 1} = {!,...,fi}, I 2 = {ti -|- 

= {ti-i + l,...,n}. Check 

e(F^, 32 ) = Y{\=iKY{j&'.idjXd%.yi)- Oufput 

1 if fhe equation holds; else output 0 . 


An MTA-OTIBAS scheme should be secure. Informally, an 
MTA-OTIBAS scheme is said to be secure if no polynomial¬ 
time attacker not requesting a private key of an entity en¬ 
rolled by a lower-level TA can forge an aggregate signature 
that is valid (i.e., such that Verify outputs 1) corresponding 
to that entity enrolled by the lower-level TA. 

In general, the security of an MTA-OTIBAS scheme is 
modeled via the following EUF-CMA (existential universal 
forgery under adaptive chosen-message attack) game ITl 
and takes place between a challenger CTi, and an adversary 
A. The game has the following three stages: 

Initialize: CH runs the Root.Setup algorithm to obtain a 
master secret key and the system parameters. CH then sends 
the system parameters to A while keeping secret the master 
secret key. 

Attack: A can perform a polynomially bounded number of 
the following types of queries in an adaptive manner. 

« LowerLevel.Setup queries: A may ask CH to set up a 
lower-level TA. On input an identity ID-jr of a lower- 
level TA, CH generafes the secret key and certificate 
of the lower-level TA. 

• Corrupt.LowerLevel queries: A can request the secret 
key of a lower-level TA 7}. On inpuf IDjr, CH 
outpufs fhe corresponding secret key of %■ 

• Extract queries: A can request the private key of an 
entify with identity IDj issued by a lower-level TA 
Ti- On input {IDj,cert-j-.), CH outputs the corre¬ 
sponding private key of the entity. 

• Sign queries: A can request an entity's signa¬ 
ture on a message rrik- On receiving a query on 
(mfc, IDj, certj-^), CH generates a valid signature cjj 
on rrik under {IDj,certji), and replies with (jj. 


Forgery: A outputs I' sets of identities 1} = {ID}, ..., ID}^}, 
I 2 = {ID:^^„...,ID:J,...,IP = ID*J en¬ 

rolled by I' lower-level TAs with certificates from the set 
{cert}j, ...,cerX^}, a set of n messages {m}, ...,mip} and 
an aggregafe signature a*. For simplicity, we assume m* 
corresponds to ID* for i € {1,..., n}. 


A wins fhe above game, if all of fhe following conditions are 
satisfied: 


1 ) fj* is a valid aggregafe signature on messages 
{to},..., 771*1 under 1} = {ID},..., IDpJ, 1} = 
{IDl^„...,IDtJ,...,I}, = {/D*,_^+i,...,/D:} 
and {certtjj,..., cert }-^^}. 

2) At least, one private key of an entity issued by 
a lower-level TA is not queried by A during the 
Extract queries and the lower-level TA is not cor¬ 
rupted. Without loss of generality, we assume the 
identity of fhe entity is ID} and its corresponding 
lower-level TA is 7i* with certificate cert}j. 

3) For a message to 7 ^ m}, the query (to, ID}, cert}j) 
can be queried at most once, and {m},ID}, certX) 
is never queried during the Sign queries. 

We can now define the security of an MTA-OTIBAS 
scheme in terms of the above game. 
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Definition 1. An MTA-OTIBAS scheme is secure, i.e., se¬ 
cure against existential forgery under adaptive chosen- 
message attack, iff fhe success probability of any polyno- 
mially bounded adversary in the above EUF-CMA game 
is negligible. 

We next recall the co-CDH assumption on which the 
security of the signature scheme in Sectionl^rests. 
Definition 2 (co-CDH Assumption). The co-CDH assump¬ 
tion in two cyclic groups Gi and G 2 of prime order q 
equipped wifh bilinearity states that, given for 

randomly chosen a,b G Z*, if is hard for any polynomial¬ 
time algorithm to compute gfi’. 

Regarding the security of our MTA-OTIBAS scheme, we 
have the following claim. 

Theorem 1. Assume an adversary A has an advanfage 
e in forging an MTA-OTIBAS scheme of Section in 
an attack modeled by the above EUF-OTIBAS-CMA 
game, within a time span r; the adversary can make 
at most QHi times iTi(-) {i = 0,1) queries, ql times 
LowerLevel.Setup queries, qc times Corrupt.LowerLevel 
queries, qE times Extract queries, qs times Sign queries. 
Then the challenger can solve the co-CDH problem 
with probability e' > E^^qa+<iEtqs+n+ 2 p ^ within time 
t' = f + 0{4qHo +qL + qs)TGi , where tgi is the time to 
compute a point exponentiation in Gi and n is the size 
of fhe aggregating set. 

Proof: Let CH be a co-CDH attacker who receives a co- 
CDH challenge instance ( 51 , 52 ) wants to compute the 
value of gfi’. A is an adversary who inferacts with CH as 
modeled in the EUF-CMA game. We show how C can use A 
to break the co-CDH assumption. 

Initialize: Firstly, CH selects T' = (e, q, Gi, G 2 , Gt, 5i, 52 a 
y, Ho{-), iTi(-),'(/'), where y = g^, and k is the master secret 
key; then t|/ is sent to A. 

Attack: We consider the hash functions iTo(') and Hi{-) 
as random oracles. A can perform the following types of 
queries in an adaptive maimer. 

Hof) queries: CH mainfains a list Hq®®* of tuples 
{IDi,aifi,a)oTO:i^i,a) i,idi^ofidi^i,coini). This list is ini¬ 
tially empty. Whenever CH receives an Hi query on {IDi,j) 
(where j = 0 or 1), CH does the following; 

• If IDi exists in a previous query, find {IDi, a) q, 
ai^i,a) i,idifi, idi^i, coini) on and return idij. 

• Else, first flip a coin mini G {0,1} that yields 1 with 
probability S and 0 with probability 1 — <5. Then do: 

- If mini = 0, select ai^o,o:i,i C Z*, com¬ 
pute idifi = = 5 “‘’S set a' p = 

= 0, return idij and add {IDi,ai^o, 
a'i o,ai^i,a'i i,idifi,idi^i,coini) to iTg*®*. 

- Else randomly select 

^ 2,0 ; Q, Qij^i, 1 G ’^q/ set idi^o — 

5r'“5r^'“Hd..i ’ = and add 

{dDi , 5 Q, cXi^i , cXi l , idi^o^ idi^i^ coinf) to 

iTg®®*. Return idi, j as the answer. 

LowerLevel.Setup queries: CH maintains a list T of tu¬ 
ples (/D 7 -. ,Ki,yi, cert-ji , coinji)■ On input an identity I D 7 -. 
of a lower-level TA, CH does the following: 


• If there is a tuple {IDj-i,Hi,yi,certj-i,coinj-i) on 

return cert-ji as the answer. 

• Else, choose G Z*, flip a coin coinj-t G {0,1} that 
yields 1 with probability S and 0 with probability 
1 — (5 and do the following; 

- If coin-Ti = 0, set m as the secret key, 
compute yi = g^f generate a certifi¬ 
cate certji corresponding to {IDEi,yi), add 
[IDji, K,i,yi, certq-, coinq-) to 

- Else, compute yi = 52 "^', generate a certifi¬ 
cate certj-i corresponding to {IDji,yi), add 
[IDji ,Ki,yi, certq-, coinq-) to 

In the rest of this paper, we assume that if a certificate 
coinji appears, A has already made a corresponding Low¬ 
erLevel.Setup query. 

Hif) queries: CH keeps a list of tuples 

{IDi,mi,certq-^,hi,coin)). This list is initially empty. 
Whenever A issues a query Hi{IDi,mi,certq-fi, CH does 
the following: 

« If there is a tuple {IDi,mi, certq -^, hi, coin)) on Hf^*, 
return hi as the answer. 

• Else, submit {IDi,0) to Hq and recover the tu¬ 
ple {IDi,aifi,a)o,a^^i,a'ii,idifi,id^^i,coini) from 
Hq*®*, recover the tuple {IDq-.,Ki,yi,certq-., coinqi) 
from TA^*®‘, flip a coin coin) G (0,1} that yields 1 
with probability S and 0 with probability 1 — i5. Then 
do the following: 

- If coinq- = coini = 1 and coin) = 1, add 
{IDi,mi,certq-.,hi,coin'd) to Hf"' and refurn 
hi = —a'i ola) I as the answer. 

- Else, randomly select hi G Z*, add 
{IDi,mi,certq-.,hi,coin'i) to Hf"' and return 
hi as the answer. 

Corrupt.LowerLevel queries: On input an identity IDq- of a 
lower-level TA, CH first makes a LowerLevel.Setup query 
on IDj-i , and recovers the tuple (/D 7 -. ,Ki,yi, certqi , coinji ) 
on If coinji = 0, CH returns Ki as the answer; 

otherwise, C aborts. 

Extract queries: When A issues an Extract query on 
{IDi,certqi), the same answer will be given if the re¬ 
quest has been asked before. Otherwise, CH recovers 
{IDqr, Ki,yi,certqi,coinqi) from C checks whether 

{ID^,a^fi,a) o,C(i,l,a'^ l,idifi,id^^l,coinfi is on Hq*®*; if it 
is not, CH submits {IDi,j) to Hof) to generate such a 
tuple, where j = 0 or 1. Finally, if coiui = coinq-^ = 1, 
CH aborfs; else if coinq- = 0, it returns fidf'Q,idf\)) else it 

returns ))■ 

Sign queries: On receiving a Sign query on 
{IDi,mi,certq-), CH first queries Ho{IDi,j) {j = 0 
or 1 ), LowerLevel.Setup(/D 7 -J and Hi{IDi,mi,certq)) 
if they were not queried before, fhen recovers 
{IDi,aifi, a' o, ai^i,a'i i,idi^o, idi,i, coini) from 

Hq"', {IDq-^, Ki,yi,certq-^,coinq-fi from and 

{IDi, mi, coinq-., hi, min'd) from Hf"'. Finally CH generates 
the signature as follows: 

« If coiui = coinqi = coin) = 1, compufe and oufput 
0-i = '|/’(52 ’ ’ )• 
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• Else if coirii = coin-ji = 1, com' = 0, abort. 

• Else, use the Sign algorithm to generate the signa¬ 
ture, since the corresponding private key is known 

to cn. 


Note that, as defined in our security assumptions, an 
adversary can only get one signature corresponding to the 
target identity and lower-level TA. Elence, CH aborts if 
coirii = coinji = 1, com' = 0. 

Forgery: Eventually, A outputs /' sets of identities 
It = = 

1 - 1-11 ■•■ 5 enrolled by V lower-level TAs with 
certificates from the set {cerf^^, cert^^^ }, a set of n mes¬ 
sages {ml, m* } and an aggregate signature FI*. Once A 
finishes queries and returns its forgery, CH proceeds with 
the following steps. 

Eor all i € n},j € CH finds {ID*, 

ai.O' “ito' 

{IDi^-., K*, y*, certtf-,, coiritj-,) on Eor all ID* G I*, 

CH also recovers the tuples {ID*,m*,cert^^,h*,coin'*) 
from where ID* is enrolled by 7j. It is required 

that there exists ID* G I* such that coin* = coint^. = 1. 
Without loss of generality, we assume i = j = 1. Be¬ 
sides, it is required that for 2 < i < n, coin* = 0. 
In addition, the forged aggregate signature must satisfy 
e{n*,g2) = U^j=iKUi&'Adlo'i-dli'"Ayj), where id*Q = 
Ho{ID*,0),idl, = Ho{ID*A),h* = Hi{ID*,m*,coin*^^), 
= {1; fl}/I 2 = {fl + 1; = {fp-l + l, 

Otherwise, CH aborts. 

Since the forged aggregate signature must satisfy 

e{n*,g 2 ) = Itj=le{U^&'.id*^oid*^^^Ayj), and idi,o = 
gi"’°gl:°‘'^'°,idi^i = gi"’"gi°'*’\ for all i G {2, ...,n}, id*Q = 


0 ■ 1* 1 ^ 

9i ’ 5 I — 9i ’ ' nave 


=(f7*(nn^(yi) 

f=2 iei' 


-Eien'. (“*,o+^*“m) 


)X 




To complete the proof, we shall show thaf CH solves the 
given instance of the co-CDH problem with probability at 
least e'. First, we analyze the three events needed for C to 
succeed: 


• SI: CH does not abort as a result of any of A's 
Corrupt.LowerLevel, Extract and Sign queries. 

• S2: A generates a valid and nontrivial aggregate 
signature forgery. 

• S3: S2 occurs, coinl = coin-ji = l,coin'* = 0 and 
for 2 < i < n, coin* = 0. 

CH succeeds if all of these events happen. The probabil¬ 
ity Pr[Sl A S2 A S3] can be decomposed as Pr[Sl A S2 A 
S3] = Pr[Sl] Pr[S2|Sl] Pr[S3|Sl A S2]. 

Claim 1. The probability that CH does not abort as a result of 
.4's Corrupt.LowerLevel, Extract and Sign queries is at least 
Hence we have Pr[SI] > (l - 5 )<?c+gE-t<?s_ 
Proof: For a Corrupt.LowerLevel query, CH will abort iff 
coinjr = 1. It is easy fo see that the probability that CH 
does not abort is 1 — <5. Since A can make at most qc times 


Corrupt.LowerLevel queries, the probability that CH does 
not abort as a result of .A's Corrupt.LowerLevel queries is at 
least (1 — 6)'^'^. 

For an Extract query, CH will abort iff coiui = coin% = 
1. It is easy to see that the probability that CH does not 
abort for an Extract query is 1 — <5^ > 1 — <5. Since A can 
make at most qe times Extract queries, the probability that 
CH does not abort as a result of .A's Extract queries is at 
least (1 — 

When CH receives a Sign query, he will abort iff com^ = 
coinEi = l,coin'i = 0 happen. So for a Sign query, the 
probability that CH does not abort is 1 — 5^(1 — (5) > 1 — (5. 
Since A makes at most qs times Sign queries, the probability 
that CH does not abort as a result of .A's Sign queries is at 
least (1 — 5y^. 

Overall, we have Pr[El] > (1 — Syc+qis+qs _ 

Claim 2. Pr[E2]El] > e. 

Proof: If CH does not abort, then .A's view is identical to 
its view in the real attack. Hence, Pr[E2|Sl] > e. 

Claim 3. The probability that CH does not abort after A 
outputting a valid and nontrivial forgery is at least ^(1 —(5)". 
Hence Pr[E3|El A E2] > ^(1 - Sy. 

Proof: Events El and E2 have occurred, and 
A has generated a valid and nontrivial forgery 
(IDl,IDf; ml,..., ml,, Fl*). CH will abort unless A gen¬ 
erates a forgery such that there exists an* G {l,...,n} such 
that com* = coinf-^ = l,com']* = 0, and for 2 < i < n, 
coin* = 0. Therefore, Pr[E3|El A E2] > (5^(1 - Sy. 

In total, we have e' = Pr[El A E2 A E3] > (1 — 
S)qc+qE+qsSyi - Sy6 > E2iga+qEtqs+n + 2yH , wheTe C iS 
Euler's constant. 

5 Conclusion 

We have proven that our MTA-OTIBAS concrete scheme is 
existentially unforgeable against adaptively chosen-message 
attacks in the random oracle model under the co-CDH 
problem assumption. 
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